Chapter 18 Planning and Configuring
Non-Global Zones (Tasks)

This chapter describes what you need to do before you can configure
a zone on your system. This chapter also describes how to configure a zone,
modify a zone configuration, and delete a zone configuration from your system.

Determine whether the zone will be a shared-IP zone or an exclusive-IP
zone.

For a shared-IP zone, which is the default, obtain or configure IP addresses
for the zone. Depending on your configuration, you must obtain at least one
IP address for each non-global zone that you want to have network access.

For an exclusive-IP zone, determine the data-link that will be assigned
to the zone. The zone requires exclusive access to one or more network interfaces.
The interface could be a separate LAN such as bge1, or
a separate VLAN such as bge2000. The data-link must be
GLDv3. A data-link that is not GLDv3 is identified as type: legacy in the output of the dladmshow-link command.

Evaluating the Current System Setup

Zones can be used on any machine that runs the Solaris 10 release. The
following primary machine considerations are associated with the use of zones.

The performance requirements of the applications running within
each zone.

The availability of disk space to hold the files that are
unique within each zone.

Disk Space Requirements

There are no limits on how much disk space can be consumed by
a zone. The global administrator is responsible for space restriction. The
global administrator must ensure that local storage is sufficient to hold
a non-global zone's root file system. Even a small uniprocessor system can
support a number of zones running simultaneously.

The nature of the packages installed in the global zone affects the
space requirements of the non-global zones that are created. The number of
packages and space requirements are factors.

Sparse Root Zones

In the Solaris 10 release, non-global zones that have inherit-pkg-dir resources
are called sparse root zones.

The sparse root zone model optimizes the sharing of objects in the following
ways:

Only a subset of the packages installed in the global zone
are installed directly into the non-global zone.

Read-only loopback file systems, identified as inherit-pkg-dir resources, are used to gain access to other files.

In this model, all packages appear to be installed in the non-global
zone. Packages that do not deliver content into read-only loopback mount
file systems are fully installed. There is no need to install content delivered
into read-only loopback mounted file systems since that content is inherited
(and visible) from the global zone.

As a general guideline, a zone requires about 100 megabytes
of free disk space per zone when the global zone has been installed with all
of the standard Solaris packages.

By default, any additional packages installed in the global
zone also populate the non-global zones. The amount of disk space required
might be increased accordingly, depending on whether the additional packages
deliver files that reside in the inherit-pkg-dir resource
space.

An additional 40 megabytes of RAM per zone are suggested, but not required
on a machine with sufficient swap space.

Whole Root Zones

The whole root zone model provides the maximum configurability. All
of the required and any selected optional Solaris packages are installed into
the private file systems of the zone. The advantages of this model include
the capability for global administrators to customize their zones file system
layout. This would be done, for example, to add arbitrary unbundled or third-party
packages.

The disk requirements for this model are determined by the disk space
used by the packages currently installed in the global zone.

Note –

If you create a sparse root zone that contains the following inherit-pkg-dir directories, you must remove these directories from
the non-global zone's configuration before the zone is installed to
have a whole root zone:

Restricting Zone Size

The following options can be used to restrict zone size:

You can place the zone on a lofi-mounted
partition. This action will limit the amount of space consumed by the zone
to that of the file used by lofi. For more information,
see the lofiadm(1M) and lofi(7D) man pages.

You can use the standard partitions of a disk for zone roots,
and thus limit per-zone disk consumption.

Determine the Zone Host Name and Obtain
the Network Address

You must determine the host name for the zone. Then, you must assign
an IPv4 address or manually configure and assign an IPv6 address for the zone
if you want it to have network connectivity.

Zone Host Name

The host name
you select for the zone must be defined either in the hosts database
or in the /etc/inet/hosts database, as specified by the /etc/nsswitch.conf file in the global zone. The network databases
are files that provide network configuration information. The nsswitch.conf file specifies which naming service to use.

If you use local files for the naming service, the hosts database
is maintained in the /etc/inet/hosts file. The host names
for zone network interfaces are resolved from the local hosts database
in /etc/inet/hosts. Alternatively, the IP address itself
can be specified directly when configuring a zone so that no host name resolution
is required.

Shared-IP Zone Network Address

Each shared-IP zone that requires network connectivity has one
or more unique IP addresses. Both IPv4 and IPv6 addresses are supported.

IPv4 Zone Network Address

If you are using IPv4, obtain an address and assign the address to the
zone.

A prefix length can also be specified with the IP address. The format
of this prefix is address/prefix-length,
for example, 192.168.1.1/24. Thus, the address to use is 192.168.1.1 and the netmask to use is 255.255.255.0,
or the mask where the first 24 bits are 1-bits.

IPv6 Zone Network Address

If you are using IPv6, you must manually configure the address. Typically,
at least the following two types of addresses must be configured:

Link-local address

A link-local address is of the form fe80::64-bit interface ID/10. The /10 indicates
a prefix length of 10 bits.

Address formed from a global prefix configured on the
subnet

A global unicast address is based off a 64–bit prefix
that the administrator configures for each subnet, and a 64-bit interface
ID. The prefix can also be obtained by running the ifconfig command
with the -a6 option on any system on the same subnet that
has been configured to use IPv6.

The 64–bit interface ID is typically derived from a system's MAC
address. For zones use, an alternate address that is unique can be derived
from the global zone's IPv4 address as follows:

For example, if the global zone's IPv4 address is 192.168.200.10, a
suitable link-local address for a non-global zone using a zone-unique number
of 1 is fe80::c0a8:c80a:1/10. If the
global prefix in use on that subnet is 2001:0db8:aabb:ccdd/64,
a unique global unicast address for the same non-global zone is 2001:0db8:aabb:ccdd::c0a8:c80a:1/64. Note that you must specify a prefix length when configuring an
IPv6 address.

For more information about link-local and global unicast addresses,
see the inet6(7P) man
page.

Exclusive-IP Zone Network Address

Inside an exclusive-IP zone, configure addresses as you do for the global
zone. Note that DHCP and IPv6 stateless address autoconfiguration can be used
to configure addresses.

File System Configuration

You can specify a number of mounts to be performed when the virtual
platform is set up. File systems that are loopback-mounted into a zone by
using the loopback virtual file system (LOFS) virtual file system should be
mounted with the nodevices option. For information on the nodevices option, see File Systems and Non-Global Zones.

LOFS lets you create a new virtual file system so that you can access
files by using an alternative path name. In a non-global zone, a loopback
mount makes the file system hierarchy look as though it is duplicated under
the zone's root. In the zone, all files will be accessible with a path name
that starts from the zone's root. LOFS mounting preserves the file system
name space.

How to Configure the Zone

Note that the only required elements to create a native non-global zone
are the zonename and zonepath properties.
Other resources and properties are optional. Some optional resources also
require choices between alternatives, such as the decision to use either the dedicated-cpu resource or the capped-cpu resource.
See Zone Configuration Data for
information on available zonecfg properties and resources.

You must be the global administrator in the global zone to perform this
procedure.

If this is the first time you have configured this zone, you will see
the following system message:

my-zone: No such zone configured
Use 'create' to begin configuring a new zone.

Create the new zone configuration.

This procedure uses the default settings.

zonecfg:my-zone> create

Set the zone path, /export/home/my-zone in this procedure.

zonecfg:my-zone> set zonepath=/export/home/my-zone

Do not place the zonepath on ZFS for releases prior
to the Solaris 10 10/08 release.

Set the autoboot value.

If
set to true, the zone is automatically booted when the
global zone is booted. Note that for the zones to autoboot, the zones service svc:/system/zones:default must also be enabled. The default value
is false.

zonecfg:my-zone> set autoboot=true

Set persistent boot arguments for a zone.

zonecfg:my-zone> set bootargs="-m verbose"

Dedicate one CPU to this zone.

zonecfg:my-zone> add dedicated-cpu

Set the number of CPUs.

zonecfg:my-zone:dedicated-cpu> set ncpus=1-2

(Optional) Set the importance.

zonecfg:my-zone:dedicated-cpu> set importance=10

The default is 1.

End the specification.

zonecfg:my-zone:dedicated-cpu> end

Revise the default set of privileges.

zonecfg:my-zone> set limitpriv="default,sys_time"

This line adds the ability to set the system clock to the default set
of privileges.

Set the scheduling class to FSS.

zonecfg:my-zone> set scheduling-class=FSS

Add a memory cap.

zonecfg:my-zone> add capped-memory

Set the memory cap.

zonecfg:my-zone:capped-memory> set physical=50m

Set the swap memory cap.

zonecfg:my-zone:capped-memory> set swap=100m

Set the locked memory cap.

zonecfg:my-zone:capped-memory> set locked=30m

End the memory cap specification.

zonecfg:my-zone:capped-memory> end

Add a file system.

zonecfg:my-zone> add fs

Set the mount point for the file system, /usr/local in this procedure.

zonecfg:my-zone:fs> set dir=/usr/local

Specify that /opt/zones/my-zone/local in the global zone is to be mounted as /usr/local in
the zone being configured.

zonecfg:my-zone:fs> set special=/opt/zones/my-zone/local

In the non-global zone, the /usr/local file system
will be readable and writable.

Specify the file system type, lofs in this procedure.

zonecfg:my-zone:fs> set type=lofs

The type indicates how the kernel interacts with the file system.

End the file system specification.

zonecfg:my-zone:fs> end

This step can be performed more than once to add more than one file
system.

(Optional)
Set the hostid.

zonecfg:my-zone> set hostid=80f0c086

Add a ZFS dataset named sales in the
storage pool tank.

zonecfg:my-zone> add dataset

Specify the path to the ZFS dataset sales.

zonecfg:my-zone> set name=tank/sales

End the dataset specification.

zonecfg:my-zone> end

(Sparse Root Zone Only) Add a shared
file system that is loopback-mounted from the global zone.

Do not perform this step to create a whole root zone, which does not
have any shared file systems. See the discussion for whole root zones in Disk Space Requirements.

zonecfg:my-zone> add inherit-pkg-dir

Specify that /opt/sfw in
the global zone is to be mounted in read-only mode in the zone being configured.

zonecfg:my-zone:inherit-pkg-dir> set dir=/opt/sfw

Note –

The zone's packaging database is updated to reflect the packages.
These resources cannot be modified or removed after the zone has been installed
using zoneadm.

End the inherit-pkg-dir specification.

zonecfg:my-zone:inherit-pkg-dir> end

This step can be performed more than once to add more than one shared
file system.

Note –

If you want to create a whole root zone but default shared file
systems resources have been added by using inherit-pkg-dir,
you must remove these default inherit-pkg-dir resources
using zonecfgbefore you install the
zone:

zonecfg:my-zone>remove inherit-pkg-dir
dir=/lib

zonecfg:my-zone>remove inherit-pkg-dir
dir=/platform

zonecfg:my-zone>remove inherit-pkg-dir
dir=/sbin

zonecfg:my-zone>remove inherit-pkg-dir
dir=/usr

(Optional) If you are creating an exclusive-IP zone, set the ip-type.

zonecfg:my-zone> set ip-type=exclusive

Note –

Only the physical device type will be specified in the add
net step.

Add a network interface.

zonecfg:my-zone> add net

(shared-IP only) Set the IP address
for the network interface, 192.168.0.1 in this procedure.

zonecfg:my-zone:net> set address=192.168.0.1

Set the physical device type for the
network interface, the hme device in this procedure.

zonecfg:my-zone:net> set physical=hme0

Solaris 10 10/08: (Optional, shared-IP only) Set the default router
for the network interface, 10.0.0.1 in this procedure.

zonecfg:my-zone:net> set defrouter=10.0.0.1

End the specification.

zonecfg:my-zone:net> end

This step can be performed more than once to add more than one network
interface.

Add a device.

zonecfg:my-zone> add device

Set the device match, /dev/sound/* in this procedure.

zonecfg:my-zone:device> set match=/dev/sound/*

End the device specification.

zonecfg:my-zone:device> end

This step can be performed more than once to add more than one device.

Add a zone-wide resource control by
using the property name.

zonecfg:my-zone> set max-sem-ids=10485200

This step can be performed more than once to add more than one resource
control.

Add a comment by using the attr resource
type.

zonecfg:my-zone> add attr

Set the name to comment.

zonecfg:my-zone:attr> set name=comment

Set the type to string.

zonecfg:my-zone:attr> set type=string

Set the value to a comment that describes
the zone.

zonecfg:my-zone:attr> set value="This is my work zone."

End the attr resource
type specification.

zonecfg:my-zone:attr> end

Verify the zone configuration for the
zone.

zonecfg:my-zone> verify

Commit the zone configuration for the
zone.

zonecfg:my-zone> commit

Exit the zonecfg command.

zonecfg:my-zone> exit

Note that even if you did not explicitly type commit at
the prompt, a commit is automatically attempted when you
type exit or an EOF occurs.

Using Multiple Subcommands From the Command Line

Tip –

The zonecfg command also supports multiple subcommands,
quoted and separated by semicolons, from the same shell invocation.